Access Management 7.3.1

Export to XACML

AM only exports a policy set that contains policy definitions. No other types can be included in the policy set, such as sub-policy sets or rules.

Policy sets to XACML mappings
AM XACML

Realm:<timestamp> (yyyy.MM.dd.HH.mm.ss.SSS)

PolicySet ID

Current Time (yyyy.MM.dd.HH.mm.ss.SSS)

Version

Deny Overrides

Policy Combining Algorithm ID

No targets defined

Target

When exporting AM policies to XACML 3.0 policy sets, AM maps its policies to XACML 3.0 policy elements.

Policies to XACML mappings
AM Policy XACML Policy

Policy Name

Policy ID

Description

Description

Current Time (yyyy.MM.dd.HH.mm.ss.SSS)

Version

xacml rule target

entitlement excluded resource names

Rule Deny Overrides

Rule Combining Algorithm ID

Any of:

  • Entitlement Subject

  • Resource Names

  • Policy Set Names

  • Action Values

Target

Any of:

  • Policy Set Name

  • Entitlement Name

  • Privilege Created By

  • Privilege Modified By

  • Privilege Creation Date

  • Privilege Last Modification Date

Variable Definitions

Single Level Permit/Deny Actions converted to Policy Rules

Rules

XACML obligation is not supported. Also, only one XACML match is defined for each privilege action, and only one XACML rule for each privilege action value.

Export policies in XACML format (UI)

  1. In the AM admin UI, go to Realms > Realm Name > Authorization > Policy Sets, and click Export Policy Sets.

    All policy sets, and the policies within will be exported in XACML format.

Export policies in XACML format (REST)

The export service is accessible at the /xacml/policies endpoint using an HTTP GET request at the following endpoint for the root realm or a specific realm:

https://openam.example.com:8443/openam/xacml/policies https://openam.example.com:8443/openam/xacml/realm/policies

Here, realm is the name of a specific realm.

You can filter your XACML exports using query search filters. See Export policies in XACML format with search filters (REST).

  1. Use the /xacml/policies endpoint to export the AM entitlement policies into XACML 3.0 format.

    The following curl command exports the policies and returns the XACML response (truncated for display purposes).

    $ curl \
    --request GET \
    --header "iPlanetDirectoryPro: AQIC5…​" \
    "https://openam.example.com:8443/openam/xacml/policies"
    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
     PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides"
     Version="2014.10.08.21.59.39.231" PolicySetId="/:2014.10.08.21.59.39.231">
     <Target/>
     <Policy RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides"
      Version="2014.10.08.18.01.03.626"
      PolicyId="Rockshop_Checkout_https://forgerock-rockshop.openrock.org:443/wp-login.php*?*">
      …​

Export policies in XACML format with search filters (REST)

Note the following points about the search filters:

  • LDAP-based searches. The search filters follow the standard guidelines for LDAP searches as they are applied to the entitlements index in the LDAP configuration backend, located at: ou=default,ou=OrganizationalConfig,ou=1.0,ou=sunEntitlementIndexes, ou=services,dc=openam,dc=forgerock,dc=org.

  • Search filter format. You can specify a single search filter or multiple filters in the HTTP URL parameters. The format for the search filter is as follows:

    [attribute name][operator][attribute value]

    If you specify multiple search filters, they are logically ANDed: the search results meet the criteria specified in all the search filters.

    XACML export search filter format
    Element Description

    Attribute Name

    The name of the attribute to be searched for. The only permissible values are: application (keyword for policy set), createdby, lastmodifiedby, creationdate, lastmodifieddate, name, description.

    Operator

    The type of comparison operation to perform.

    • = Equals (text)

    • < Less Than or Equal To (numerical)

    • > Greater Than or Equal To (numerical)

    Attribute Value

    The matching value. Asterisk wildcards are supported.

    1. Use the /xacml/policies endpoint to export the policies into XACML 3.0 format with a search filter.

      This command only exports policies that were created by "amadmin".

      $ curl \
      --request GET \
      --header "iPlanetDirectoryPro: AQIC5…​" \
      "https://openam.example.com:8443/openam/xacml/policies?filter=createdby=amadmin"
    2. You can also specify more than one search filter by logically ANDing the filters as follows:

      $ curl \
      --request GET \
      --header "iPlanetDirectoryPro: AQIC5…​" \
      "https://openam.example.com:8443/openam/xacml/policies?filter=createdby=amadmin&filter=creationdate=135563832"

Export policies in XACML format (ssoadm)

  1. Use the ssoadm list-xacml command:

    $ ssoadm \
     list-xacml \
     --realm "/" \
     --adminid uid=amAdmin,ou=People,dc=openam,dc=forgerock,dc=org \
     --password-file /tmp/pwd.txt
    <?xml version="1.0" encoding="UTF-8"?>
    <PolicySet
    …​
    Policy definitions were returned under realm, /.

    For more information on the syntax of this command, see ssoadm list-xacml.